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IN THE CLAIMS: 

1 1 . (CURRENTLY AMENDED) A method for implementing port-based network access 

2 control at a shared media port in an intermediate node, the shared media port being a 

3 physical interface coupled to a plurality of client nodes, the method comprising: 

4 partitioning the shared media port into a plurality of logical subinterfaces , wherein 

5 a logical subinterface is a logical division of a physical interface , each logical subinter- 



6 face dedicated to providing access to a different network or subnetwork accessible 

7 through the intermediate node; 

8 receiving a data packet at the shared media port from a first client node; 

9 associating the received data packet with a first logical subinterface in the plural- 

10 ity of logical subinterfaces; 

1 1 determining whether the first client node is authenticated to communicate over the 

12 first logical subinterface' s dedicated network or subnetwork; 

13 if the first client node is determined to be authenticated to communicate over the 

14 first logical subinterface' s dedicated network or subnetwork, forwarding the received 

15 data packet over the first logical subinterface 's dedicated network or subnetwork; 

16 receiving a second data packet at the shared media port from a second client node; 
n associating the second received data packet with the first logical subinterface; 

18 determining whether the second client node is authenticated to communicate over 

19 the first logical subinterface 's dedicated network or subnetwork; and 

20 if the second client node is determined to not be authenticated to communicate 

21 over the first logical subinterface' s dedicated network or subnetwork, preventing the sec- 

22 ond received data packet from being forwarded over the first logical subinterface 's dedi- 

23 cated network or subnetwork, while still allowing data packets from the first client node 

24 to be forwarded if the first client node is determined to be authenticated. 

l 2. (ORIGINAL) The method according to claim 1, further comprising: 
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performing at least one of dropping the received data packet or reclassifying the 
received data packet to a different logical subinterface, if the first client node is deter- 
mined not to be authenticated to communicate over the first logical subinterface' s dedi- 
cated network or subnetwork. 

3. (ORIGINAL) The method according to claim 1, wherein the first logical subinterface 's 
dedicated network or subnetwork is a virtual private network (VPN). 

4. (ORIGINAL) The method according to claim 1, wherein a logical subinterface in the 
plurality of logical subinterfaces is dedicated to providing access to the Internet. 

5. (ORIGINAL) The method according to claim 1, wherein the step of determining 
whether the first client node is authenticated to communicate over the first logical subin- 
terface' s dedicated network or subnetwork further comprises: 

parsing a source media access control (MAC) address from the received data 

packet; 

indexing an entry in a MAC filter associated with the shared media port based on 

the value of the parsed source MAC address; 

identifying an authentication state stored in the indexed MAC-filter entry; and 
determining whether the first client node is authenticated to communicate over the 

first logical subinterface 's dedicated network or subnetwork based on the authentication 

state stored in the indexed MAC-filter entry. 

6. (ORIGINAL) The method according to claim 5, wherein the MAC filter is organized 
as a hash table. 

7. (ORIGINAL) The method according to claim 1, further comprising: 

parsing a destination Internet Protocol (IP) address from the received data packet; 
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3 comparing the parsed destination IP address to one or more IP addresses stored in 

4 an IP filter associated with the shared media port; and 

5 if the parsed destination IP address matches an IP address stored in the IP filter, 

6 forwarding the received data packet over the first logical subinterface's dedicated net- 

7 work or subnetwork, even if the first client node is determined not to be authenticated to 

8 communicate over that network or subnetwork. 

1 8. (ORIGIN AT) The method according to claim 1 , wherein the step of associating the 

2 received data packet with the first logical subinterface, further comprises: 

3 locating an entry in a routing table configured to store routing information associ- 

4 ated with the received data packet; and 

5 associating the received data packet with the first logical subinterface based on 

6 the contents of the routing-table entry. 

1 9. (ORIGINAT) The method according to claim 1 , further comprising: 

2 receiving an authentication request from the first client node at the shared media 

3 port; 

4 in response to receiving the authentication request, creating a MAC filter associ- 

5 ated with the shared media port if the MAC filter has not already been created; 

6 copying a source MAC address stored in the received authentication request into 
? an appropriate entry in the MAC filter; 

8 forwarding the received authentication request to an authentication service; 

9 receiving a response from the authentication service, the response identifying an 

10 authentication state associated with the first client node; and 

i i storing the authentication state into the same MAC-filter entry into which the 

12 source MAC address was copied. 

1 10. (ORIGINAT) The method according to claim 9, wherein the step of copying the 

2 source MAC address into an appropriate MAC-filter entry further comprises: 
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3 indexing an entry in the MAC filter based on the result of applying a hash func- 

4 tion to the source MAC address; and 

5 storing the source MAC address at the indexed MAC-filter entry. 

1 11. (ORIGINAL) The method according to claim 9, wherein the received authentication 

2 request is an 802. 1 X authentication request. 

l 12. (ORIGINAL) The method according to claim 9, further comprising: 



2 sending an alarm message over the first logical subinterface's dedicated network 

3 or subnetwork after the first client node fails to authenticate at the shared media port a 

4 predetermined number of times. 

1 13. (ORIGINAL) The method according to claim 9, further comprising: 

2 sending an alarm message over the first logical subinterface's dedicated network 



3 or subnetwork after the first client node's authentication state changes from an authenti- 

4 cated state to an unauthenticated or unknown state. 

1 14. (CURRENTLY AMENDED) An intermediate node for implementing port-based net- 

2 work access control in a network containing a plurality of client nodes, the intermediate 

3 node comprising: 

4 a processor; 



5 J a shared media port that is a physical interface for receiving a data packet from a 

6 first client node, and a second data packet from a second client node, in the plurality of 

7 client nodes; and 

8 a memory adapted to store instructions for execution by the processor, at least a 

9 portion of the instructions defining a network operating system configured to perform the 

10 steps of: 

11 partitioning the shared media port into a plurality of logical subinterfaces, 

12 | wherein a logical subinterface is a logical division of a physical interface, each 
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13 logical subinterface dedicated to providing access to a different network or sub- 

H network accessible through the intermediate node; 

15 associating the data packet received from the first client node with a first 

16 logical subinterface in the plurality of logical subinterfaces; 

17 determining whether the first client node is authenticated to communicate 
is over the network or subnetwork to which the first logical subinterface provides 

19 dedicated access; 

20 forwarding the received data packet over the first logical subinterface's 

21 dedicated network or subnetwork only if the first client node is determined to be 

22 authenticated to communicate over that network or subnetwork 

23 associating the second received data packet with the first logical subinter- 

24 face; 

25 determining whether the second client node is authenticated to communi- 

26 cate over the first logical subinterface; and 

27 preventing the second received data packet from being forwarded over the 

28 first logical subinterface's dedicated network or subnetwork if the second client 

29 node is determined to not be authenticated to communicate over that network or 

30 subnetwork, while still allowing data packets from the first client node to be for- 

31 warded over that network or subnetwork if the first client node is determined to be 

32 authenticated. 

1 15. (ORIGINAL) The intermediate node according to claim 14, wherein: 

2 the memory is further adapted to store a MAC filter containing one or more en- 

3 tries configured to store at least a MAC address and an authentication state, and 

4 the network operating system is further configured to perform the steps: 

5 receiving an authentication request from the first client node at the 

6 shared media port; 

7 copying a source MAC address stored in the received authentica- 

8 tion request into an appropriate entry in the MAC filter; 
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9 forwarding the received authentication request to an authentication 

10 service; 

i i receiving a response from the authentication service, the response 

12 identifying an authentication state associated with the first client node; and 

13 storing the authentication state into the same MAC-filter entry into 

14 which the source MAC address was copied. 

1 16. (ORIGINAL) The intermediate node according to claim 14, wherein: 

2 the memory is further adapted to store an IP filter containing a list of IP addresses, 

3 and 

4 the network operating system is further configured to perform the steps: 

5 parsing a destination IP address from the received data packet; 

6 comparing the parsed destination IP address to one or more IP ad- 

7 dresses stored in an IP filter associated with the shared media port; and 

8 if the parsed destination IP address matches an IP address stored in 

9 the IP filter, forwarding the received data packet over the first logical sub- 

10 interface's dedicated network or subnetwork, even if the first client node is 

1 1 determined not to be authenticated to communicate over that network or 

12 subnetwork. 

1 17. (ORIGINAL) The intermediate node according to claim 14, wherein: 

2 the memory is further adapted to store a MAC filter containing one or more en- 

3 tries configured to store at least a MAC address and an authentication state, and 

4 the network operating system is further configured to perform the steps: 

5 parsing a source MAC address from the received data packet; 

6 indexing an entry in a MAC filter associated with the shared media 

7 port based on the value of the parsed source MAC address; 

8 identifying an authentication state stored in the indexed MAC-filter 

9 entry; and 
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10 determining whether the first client node is authenticated to com- 

1 1 municate over the first logical subinterface's dedicated network or sub- 

12 network based on the authentication state stored in the indexed MAC-filter 

13 entry. 

1 1 8. (CURRENTLY AMENDED) An apparatus that implements port-based network ac- 

2 | cess control at a shared media port, the shared media port being a physical interface cou- 

3 pled to a plurality of client nodes, the apparatus comprising: 

4 means for partitioning the shared media port into a plurality of logical subinter- 

5 | faces, wherein a logical subinterface is a logical division of a physical interface, each 

6 logical subinterface dedicated to providing access to a different network or subnetwork 

7 accessible through the intermediate node; 

8 means for receiving a data packet at the shared media port from a first client node; 

9 means for associating the received data packet with a first logical subinterface in 

10 the plurality of logical subinterfaces; 

1 1 means for determining whether the first client node is authenticated to communi- 

12 cate over the first logical subinterface's dedicated network or subnetwork; 

13 means for forwarding the received data packet over the first logical subinterface's 

14 dedicated network or subnetwork; 

15 means for receiving a second data packet at the shared media port from a second 

16 client node; 

n means for associating the second received data packet with the first logical subin- 

18 terface; 

19 means for determining whether the second client node is authenticated to commu- 

20 nicate over the first logical subinterface's dedicated network or subnetwork; and 

21 means for preventing the second received data packet from being forwarded over 

22 the first logical subinterface's dedicated network or subnetwork, while still allowing data 

23 packets from the first client node to be forwarded. 
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1 19. (ORIGINAL) The apparatus according to claim 1 8, wherein the means for determin- 

2 ing whether the first client node is authenticated to communicate over the first logical 

3 subinterface's dedicated network or subnetwork further comprises: 

4 means for parsing a source MAC address from the received data packet; 

5 means for indexing an entry in a MAC filter associated with the shared media port 

6 based on the value of the parsed source MAC address; 

7 means for identifying an authentication state stored in the indexed MAC-filter en- 

8 try; and 

9 means for determining whether the first client node is authenticated to communi- 

10 cate over the first logical subinterface's dedicated network or subnetwork based on the 

11 authentication state stored in the indexed MAC-filter entry. 

1 20. (ORIGINAL) The apparatus according to claim 18, further comprising: 

2 means for parsing a destination IP address from the received data packet; 

3 means for comparing the parsed destination IP address to one or more IP ad- 

4 dresses stored in an IP filter associated with the shared media port; and 

5 means for forwarding the received data packet over the first logical subinterface's 

6 dedicated network or subnetwork, even if the first client node is determined not to be au- 

7 thenticated to communicate over that network or subnetwork. 

1 21. (ORIGINAL) The apparatus according to claim 18, wherein the means for associating 

2 the received data packet with the first logical subinterface, further comprises: 

3 means for locating an entry in a routing table configured to store routing informa- 

4 tion associated with the received data packet; and 

5 means for associating the received data packet with the first logical subinterface 

6 based on the contents of the routing-table entry. 

l 22. (ORIGINAL) The apparatus according to claim 18, further comprising: 
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means for receiving an authentication request from the first client node at the 
shared media port; 

means for creating a MAC filter associated with the shared media port if the MAC 
filter has not already been created; 

means for copying a source MAC address stored in the received authentication 
request into an appropriate entry in the MAC filter; 

means for forwarding the received authentication request to an authentication ser- 
vice; 

means for receiving a response from the authentication service, the response iden- 
tifying an authentication state associated with the first client node; and 

means for storing the authentication state into the same MAC-filter entry into 
which the source MAC address was copied. 

23. (ORIGINAL) The apparatus according to claim 22, wherein the received authentica- 
tion request is an 802. IX authentication request. 

24. (CURRENTLY AMENDED) A computer-readable media including instructions for 
execution by a processor, the instructions for a method of implementing port-based net- 
work access control at a shared media port in an intermediate node, the shared media port 
being a physical interface coupled to a plurality of client nodes, the method comprising 
the steps: 

partitioning the shared media port into a plurality of logical subinterfaces, wherein 
a logical subinterface is a logical division of a physical interface, each logical subinter- 
face dedicated to providing access to a different network or subnetwork accessible 
through the intermediate node; 

receiving a data packet at the shared media port from a first client node; 

associating the received data packet with a first logical subinterface in the plural- 
ity of logical subinterfaces; 



10 



PATENTS 
112025-0530 
Seq. #6769 CPOU245784 



determining whether the first client node is authenticated to communicate over the 
first logical subinterface's dedicated network or subnetwork; 

if the first client node is determined to be authenticated to communicate over the 
first logical subinterface's dedicated network or subnetwork, forwarding the received 
data packet over the first logical subinterface's dedicated network or subnetwork; 

receiving a second data packet at the shared media port from a second client node; 

associating the second received data packet with the first logical subinterface; 

determining whether the second client node is authenticated to communicate over 
the first logical subinterface's dedicated network or subnetwork; and if the second 
client node is determined to not be authenticated to communicate over the first logical 
subinterface's dedicated network or subnetwork, preventing the second received data 
packet from being forwarded over the first logical subinterface's dedicated network or 
subnetwork, while still allowing data packets from the first client node to be forwarded if 
the first client node is determined to be authenticated. 

25. (CURRENTLY AMENDED) An apparatus comprising: 

a shared media port that is a physical interface and has hav4ng-a trusted subinter- 
face configured to provide access to a trusted network or subnetwork and an untrusted 
subinterface configured to provide access to an untrusted network or subnetwork 
wherein a subinterface is a logical division of a physical interface ; 

an authenticator configured to receive authentication requests from a plurality of 
client nodes and in response the authentication requests to independently assign to each 
of the plurality of client nodes an authentication state; and 

a media access control (MAC) filter configured to maintain an entry for each cli- 
ent node indicating the authentication state of the client node and a MAC address of the 
client node, and in response to receipt of a data packet from a particular client node di- 
rected to the trusted subinterface, to index to an entry in the MAC filter based on a source 
MAC address of the data packet, to identify the authentication state of the particular cli- 
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ent node stored in the indexed MAC-filter entry, and to determine whether the particular 
client node is authenticated to communicate over the trusted subinterface, and, if so, to 
permit the particular client node to access the trusted subinterface, 

wherein the media access control (MAC) filter grants client nodes access on a cli- 
ent-by-client basis. 

26. (PREVIOUSLY PRESENTED) The apparatus of claim 25, wherein the media ac- 
cess control (MAC) filter is further configured to redirect the data packet from the par- 
ticular client node directed to the trusted subinterface to the untrusted subinterface if the 
particular client node is not authenticated to communicate over the trusted subinterface. 

27. (PREVIOUSLY PRESENTED) The apparatus according to claim 25, wherein the 
trusted network or subnetwork is a virtual private network (VPN). 

28. (PREVIOUSLY PRESENTED) The apparatus according to claim 25, wherein the 
untrusted network or subnetwork is the Internet. 

29. (NEW) A method for implementing port-based network access control at a shared 
media port in an intermediate node, the shared media port being a physical interface cou- 
pled to a plurality of client nodes, the method comprising: 

partitioning the shared media port into a plurality of logical subinterfaces by logi- 
cally dividing the shared media port into subinterfaces, each logical subinterface dedi- 
cated to providing access to a different network or subnetwork accessible through the in- 
termediate node; 

receiving a data packet at the shared media port from a first client node; 

associating the received data packet with a first logical subinterface in the plural- 
ity of logical subinterfaces; 

determining whether the first client node is authenticated to communicate over the 
first logical subinterface' s dedicated network or subnetwork; and 
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if the first client node is determined to be authenticated to communicate over the 
first logical subinterface's dedicated network or subnetwork, forwarding the received 
data packet over the first logical subinterface's dedicated network or subnetwork. 

30. (NEW) The method according to claim 29, further comprising: 

performing at least one of dropping the received data packet or reclassifying the 
received data packet to a different logical subinterface, if the first client node is deter- 
mined not to be authenticated to communicate over the first logical subinterface's dedi- 
cated network or subnetwork. 

31. (NEW) The method according to claim 29, wherein the first logical subinterface's 
dedicated network or subnetwork is a virtual private network (VPN). 

32. (NEW) The method according to claim 29, wherein a logical subinterface in the plu- 
rality of logical subinterfaces is dedicated to providing access to the Internet. 
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